It’s an unfortunate but predictable pattern: when there’s a disaster or federally declared emergency, fraud spikes. In the wake of COVID-19, financial institution fraud is on the rise thanks to a mostly virtual environment and exposed vulnerabilities in organizations’ security systems and processes.

Developing an increased awareness of the types of fraud schemes is an important part of mitigating and lowering the risk in the first place. While the CARES Act was a lifeline for struggling businesses and individuals; fraudsters have used it to exploit victims.

Financial Institution Fraud

Several federal agencies are monitoring financial fraud closely, including the SEC, FBI, FTC, and FinCEN. Within financial institutions, there are five types of fraud related to COVID-19 that credit unions need to be aware of.

New account fraud
The benefit of virtual banking and fewer hurdles for consumers to set up financial accounts also creates an environment where fraud is easier to commit. Bad actors will impersonate real people and/or steal their credentials to open a fake account, which they can then use to access fraudulently deposited funds. Credit unions need to increase their screening activities for new accounts opened online or over the phone to look for out-of-pattern behaviors and remain diligent in their member authentication process.

Identity theft
Identity theft happens when a fraudster uses personal information, such as a social security number, to open new accounts, make fraudulent purchases, or illegally claim government funding (i.e. – stimulus checks, unemployment benefits, or tax refunds). Consumers aren’t the only ones at risk; credit unions and other financial institutions can be on the hook for unpaid balances due to fraud.

The best way to mitigate identity theft is to revisit your credit union’s formal identity theft prevention program. To do so, credit unions must have written policies and procedures to identify suspicious patterns or fraudulent practices and a program in place to detect fraud. The Red Flags Rule also calls for specifying actions when fraud is detected and how the credit union will stay current against new threats.

Cybersecurity risks
As more of the banking experience is done online, credit unions need to ensure their cybersecurity controls are updated and monitored regularly. All financial institutions are vulnerable to cyber-attacks so staying ahead of the risk is important. The biggest external threats to cybersecurity are unencrypted data, malware, unsecure third-party services, manipulated data, and spoofing. One of the best ways to combat cybersecurity risk is actually pretty simple: employee awareness and training. By exposing employees to frequent training around potential cybersecurity risks, it can help make them aware of the potential pitfalls. The important thing to note here is that instead of interacting with members who are virtual, now both members and employees are virtual, and this will present different risks. In addition, it is important that credit unions utilize a top-down approach when it comes to prioritizing cybersecurity. If the “C-Suite” buys in to cybersecurity, everyone else throughout the credit union will follow suit.

Imposter and money mule schemes
Imposter schemes involve bad actors impersonating government agencies or other organizations to offer fraudulent services or otherwise steal money or information. There are many different forms of imposter schemes, and fraudsters can use text messaging, robocalls, social media, email, and the internet to deceive consumers. Money mule schemes involve someone who knowingly or unknowingly transfers illegally acquired money. Related to COVID-19, money mule fraud has included good-Samaritan, romance, and work-from-home schemes.
Credit unions have an important role to educate their members on what these scams look like and how to tell the difference between a legitimate organization and a potential fraud. Posting video messages or updates on your credit union’s website or social media platforms is a great way to raise awareness.

Mobile banking application fraud
Now that more and more credit unions are utilizing mobile apps, fraudsters are taking advantage of another opportunity to target consumers’ financial data. The FBI identified two main techniques that fraudsters use to manipulate mobile banking apps: app-based banking trojans and fake banking apps. As with imposter and money mule schemes, credit unions have a responsibility to educate their members on what potentially fraudulent activity looks like on the app. While multi-factor authentication may be a pain for members, it is a great way to increase security around mobile banking. Credit unions should be reinforcing to members that they should use secure, automatically generated passwords and only download apps from an official app store. Other tips for consumers include deleting texts from financial institutions, keeping the phone’s operating system updated, and calling the credit union with any questions or concerns.

SBA Loan Fraud

The Small Business Administration (SBA) issued billions of dollars in loans to struggling small businesses through the Paycheck Protection Program and Economic Injury Disaster Loans. It’s estimated that almost three-fourths of U.S. small businesses have benefited from PPP loan funds. And yet, not all of the money went to legitimate businesses. By August 2020, the U.S. Justice Department had initiated more than 40 cases of PPP loan fraud totaling more than $170 million, and the SBA itself has initiated several hundred potential fraud cases. Even though the fraud represents a small portion of all distributed funds, credit unions still need to be on the lookout.

Credit unions may have received EIDL advances on behalf of their members or issued PPP loans and as such can be vulnerable to fraudulent PPP or EIDL claims.

Red flags for SBA loan fraud include:

  • Applications with manipulated or fraudulent supporting documentation, or applications submitted under different names but with suspiciously similar documentation
  • Fake businesses without an internet presence
  • Existing accounts without histories of payroll expenses or low balances
  • Newly created accounts and/or accounts where funds are quickly transferred after receiving loan proceeds

Business Tax Credits Fraud

Between the Families First Coronavirus Response Act (FFCRA) and the CARES Act, businesses were given tax credits to reimburse costs for paid sick leave and maintaining payroll during COVID-19. Tax credits are taken on a quarterly basis, but businesses may request an advance.

One of the more common types of COVID-19 tax credit fraud is double-dipping. Under SBA and CARES Act guidelines, businesses may not utilize the employee retention credit and PPP loan funds simultaneously (however, businesses may continue to claim the sick leave credit while using PPP funds).

Other types of fraud in this area are inflated payroll, U.S. Treasury check deposits into accounts without any payroll or business activity, and U.S. Treasury checks used to fund personal expenses.

Credit unions can be held liable for fraud if a member applies for PPP funds but is discovered to have been taking the employee retention credit at the same time. Additional background checks and document verification should be implemented to identify potential fraud.

Unemployment insurance was boosted in 2020 to allow self-employed individuals access to funds as well as increasing the weekly amount of benefits by $600. Many consumers relied on these funds to make ends meet, but there is a substantial amount of risk involved depending on how benefits have been distributed.

Red flags for unemployment insurance fraud include but aren’t limited to:

  • Member accounts receiving unemployment benefits from another state, especially if there is no known work history out-of-state
  • Benefits for multiple people deposited into the same account
  • New accounts used to collect unemployment benefits
  • Imposter and money mule schemes used to fraudulently acquire unemployment benefits

Unemployment fraud is applicable to most credit unions, especially small ones. Looking for these red flags can help to shield the credit union from unnecessary risk. Suspected unemployment insurance fraud should be reported to the Department of Labor Office of the Inspector General.

The challenge with detecting many of these types of fraud schemes is that rules and regulations are constantly evolving and the corresponding rules and regulations are stuck playing catch up. Prior to COVID-19, introducing new regulations is a process that typically takes 12-18 months, and now massive regulations are being released in a matter of days or weeks. In this environment, it’s almost expected that fraud risk will go up. Credit unions need to stay vigilant against financial fraud and help educate their members on potential scams.

Part of an ongoing fraud risk management program is working with external advisors who can help your financial institution stay on top of evolving threats and maintain secure internal controls. Questions about protecting credit unions or their members against financial fraud can be directed to JJ Edmunds, CPA, CIA, CISA, MSA, Audit and Assurance Manager on PBMares’ Credit Union Team.